Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Published byAmber Simpson Modified over 8 years ago

Similar presentations

Presentation on theme: "SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc."— Presentation transcript:

1 SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

2 The Third Wave of the Internet HTTP created the Web SMTP created Email SIP can create universal live IP Communication person-to-person!

3 It’s all there – almost… A single network (IP) Everyone has a connection High capacity and good performance A single protocol (SIP) But SIP does not traverse common firewalls and NATs

4 It’s All There – Almost…  Firewalls exclude inbound traffic  SIP does not traverse common firewalls and NATs Everyone has a connection High capacity and good performance A single protocol - SIP A Single Network (IP)

5 What’s the difference? Typical Internet protocol (SMTP, HTTP…) Internet HOST SERVER SIP (and H.323…) connects person-to-person Internet PERSON

6 More than IP Telephony! HTTP created the Web SMTP created Email SIP can create universal live IP Communication person-to-person! It’s the Third Wave of the Internet

7 It’s Presence It’s Instant Messaging 4255551212 And it’s voice A richer communications experience It’s Video

8 Converged Networks Realtime Communications Connect people, information and processes in real-time + A change in communications style = An opportunity for productivity improvement + A change in the work paradigm + A change in communications tools

9 One Way: VoIP Islands… VPN is fine for branch to branch connections Branch Office Vendor IP Partner IP Customer IP Customer IP VPN Tunnel IP Headquarters IP Internet But the goal is global connectivity

10 The Global All IP Way SIP-capable firewalls make the difference

11 Suggested CPE Solutions STUN  TURN  ICE –Can cope with certain types of existing NATs –Complexity has grown in trial to increase reliability/handle more NATs –Needs to be implemented in the SIP clients and servers on the Net –Tight firewalls will not be handled Dynamically-controlled firewalls/NATs –Midcom: By Firewall Control Proxy (no activity known at this time) –UPnP: By the client (Windows) (Microsoft) ALG (non-Proxy) SIP-aware firewall –TLS not possible ALG + Proxy SIP-aware firewall –General, handles complex scenarios, PBX functionality Tunnelling - Brings the SIP-client to an operator or a corporate LAN –Requires ALG for each client on LAN with own address space –IPSec, Proprietary

12 STUN  TURN  ICE Evolving ITEF Standard Requires client on the inside of the LAN and “reflector” in the network Client “pings” the reflector which returns the internal IP address that is being broadcast by the SIP end point Once the internal IP address is known, then all communications carry that IP address in the header information

13 STUN  TURN  ICE Benefits Simple solution to NAT traversal Offers alternative to home users and small businesses that don’t wish to incorporate a full firewall solution Problems Exposes the internal IP addressing scheme Circumvents the protection offered by the firewall Inappropriate for enterprises and others with valuable information to protect on their LAN Only works for certain types of NATs

14 Midcom Developing IETF standard for managing controllable firewalls with a Firewall Control Proxy Elegant solution that puts the solution at the point where the problem occurs Firewall Control Proxy would dynamically control the firewall to accept SIP media only when authorized Control resides with the Firewall Control Proxy and the existing firewall takes care of all of the logging

15 Midcom Benefits Based on an IETF Standard Leaves the firewall in place Offers a separate device to just manage SIP sessions Problems No companies are currently developing this technology There are currently no firewalls that are controllable by an outside agent Leaves vulnerabilities on the Firewall Control Proxy which could result in a violation of network security

16 UPnP Universal Plug and Play Proposed by Microsoft Allows all end points to be controlled by the Microsoft agent

17 UPnP Benefits Simple implementation Nothing to set up or configure Excellent implementation for home users Would expand the use of SIP Problems Limited utility for enterprises of any size Cannot handle complex call scenarios Solution handles NAT only Cannot handle hard phones, only soft clients Security of the network controlled by Windows server

18 ALG (non-Proxy) SIP-Aware Firewall Implementation which sits between two hosts and modifies the information flow between them on the fly ALGs normally do small modifications to the packets

19 ALG (non-Proxy) SIP-Aware Firewall Benefits Theoretically faster processing times than proxy-based solutions Performs most of the important functions of allowing traversal of the NATed firewall Able to dynamically open and close ports for media Problems Cannot read deeply into the packet headers Cannot support encryption (TLS); ALGs see everything in the clear so modifying authenticated packets is impossible Setup of complex call scenarios a problem Current implementations do not support soft clients

20 ALG + Proxy SIP-Aware Firewall ALG performs NAT Traversal Function Proxy terminates a packet flow, then reinitiates flow to the destination address –Records SIP client address to locate behind NAT –Digest authentication –Rewrites headers Proxies can look deeply into the header information because it stops packet briefly –Inspection of SIP signaling (including Instant Messages) Support for Transport Layer Security (TLS) –Adds privacy and authentication to communications –TLS is being used for adding security to Microsoft Office Live Communications Server, Avaya, Reuters and others Can also be used as a separate SIP firewall when all data ports are permanently closed

21 ALG + Proxy SIP-Aware Firewall Benefits Most flexible solution Able to support all call scenarios, despite complexity Can support servers on the inside of the LAN Supports TLS Flexible and adaptable Offers a backup registration/ location server option Simple PBX functions can be added Problems Theoretically slower performance

22 Summary of Advantages CapabilityALG with ProxyALG Support for TLSYes No Flexible support for complex call scenarios Yes No Backup registrar and other services Yes No Support for soft clientsYes No

23 Internet IP Real and Complex Scenarios SIP /PSTN Gateway Complications for non-proxy solutions: Tight firewalls Call transfer SIP server on the LAN Trusted connections: TLS XP SIP Server 2 SIP Server 3 SIP Server 4 LAN Firewall/NAT IP Phone SIP TLS Sooner or later: The NAT/Firewall Problem needs to be solved where it occurs

24 SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Download ppt "SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex.

Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex.
Lync 2014 4/11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Steven J. Johnson President Ingate Systems Inc. Enabling SIP to the Enterprise.

Steven J. Johnson President Ingate Systems Inc. Enabling SIP to the Enterprise.
The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.

The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.
SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.
Karl Stahl CEO/CTO Ingate Systems Ingate’s SBCs do more than POTSoIP SIP. They were developed.

Karl Stahl CEO/CTO Ingate Systems Ingate’s SBCs do more than POTSoIP SIP. They were developed.
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.
The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex.

The Firewall as a SIP Server Much more than firewall SIP traversal! Prepared for:Spring VON 2003 Enterprise Solutions By: Karl Erik Ståhl President Intertex.

Similar presentations

Ads by Google